Google: Security Keys Neutralized Employee Phishing July 23, 2018 https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
That is impressive. But then, I presume that their physical security is also pretty tight. But let's say that mine isn't. How hard would it be to brute force the physical key? Also, I'm guessing that such physical keys are well-enough isolated from devices that malware can't compromise them. Right?
You mean every 70k+ Google engineer around the world? Not, they aren't. Of course they use also role-based access control principle of least privilege.
Google announces its own security key for stronger logins https://www.theverge.com/2018/7/25/17613332/google-titan-security-key-login-2fa
Nobody short of the NSA on steroids is even going to dream about breaking into a U2F element remotely. NO known way to even get close! I have never slept better at night. After transitioning to U2F exclusively for my most important "true name" accounts I have lost all concerns for Phising, MITM, etc..... Yubikeys (the industry leader for general population) cannot be manipulated at all. One of Yubi's strictest guidelines is that you can't EVER change the firmware even with their assistance. It comes from the "factory" with SET firmware and its not going to get changed. If you consider security as a pipe, remember it has two ends. Assuming the user keeps their end of the pipe secure, now the attacker still can consider trying to break in from the other end, which is the website server. If a site runs poor OPSec and the server end is breached it won't really matter if YOUR end is solid.
If we're talking the U2F key on its own (not the "normal" Yubikey which have richer functionality and can be reprogrammed), then the api is extremely simple and I suspect, extremely hard to attack remotely UNLESS there are undocumented features built in by the vendor and known to the attacker. Which leads to the usual conclusion: an open source firmware project with suitable open hardware support is the ticket, if you're not willing to trust Yubico.
OK, thanks But what if an adversary has the key? I get that at least some will nuke after too many failures. But what about physical hacking? Do they have the sorts of hardware protection that military-grade crypto modules use? Such as embedded wire grids?
My understanding of the physical security of the classic Yubikey is that it was nothing special, with no military grade crypto modules or self-destruct or anything. So, you'd have to assume that if physically owned, the root certificate/secret would become vulnerable (the U2F Yubikey generates certificates on the fly using the source url as part of the derivation which is why it doesn't need to generate certificates per site and store it every time). I'm personally less concerned about that because that's nation-state stuff and if they have your U2F key, they probably have you by other things you have.
You can buy Google's $50 set of Titan security keys now Two keys to success... or at least better two-factor authentication. August 30, 2018 https://www.cnet.com/news/you-can-buy-googles-50-set-of-security-keys-now/
Hopefully they will quickly enable the NFC capabilities for better sales. I use NFC for Google Pay so its on already. My Yubi's work perfectly for NFC and U2F on my accounts. Not having NFC would be "game over" for me. I don't run with Bluetooth on. Others may differ, but I am who I am. I am curious if they have tried these against Android PIE, which I have running in full developer mode.
Why is Google selling potentially compromised Chinese security keys? https://www.zdnet.com/article/googl...eys-from-chinese-firm-with-military-links-in/
Google Titan Security Key review: An expensive, easy-to-use security key October 6, 2018 https://mashable.com/review/google-titan-security-key/?europe=true&utm_cid=hp-h-1
Titan Security Key no longer available from the Google Store https://www.androidpolice.com/2019/...ey-no-longer-available-from-the-google-store/
I think the Titan stuff was always an interim solution, hopefully there will be adoption of Fido2 and Webauthn. If that works ok that is, and there's decent adoption levels which hasn't happened for 1st gen U2F (which only ever worked with Chrome).
Google Gives Free Security Keys to Activists, But Not if You’re in Iran or Syria April 26, 2019 https://motherboard.vice.com/en_us/...keys-iran-syria-cuba-crimea-sudan-north-korea
MFA is No Cure for Phishing May 31, 2019 https://www.ethicalhacker.net/columns/kron/mfa-is-no-cure-for-phishing/
Google Titan Security Key now available in Canada, France, Japan, and the UK https://www.androidpolice.com/2019/...-available-in-canada-france-japan-and-the-uk/
As far as I can tell, the Titan USB key is still Fido 1 U2F standard, which means it isn't supported on Edge and Firefox, only Chrome. If this is the case, and there's no support for Fido2 Webauthn, that's not a very good deal. This only seems to make sense if you're tying yourself to Google accounts, Chrome and Android.
Google is releasing a USB-C Titan security key Made in partnership with Yubico October 14, 2019 https://www.theverge.com/2019/10/14...o-yubikey-nfc-bluetooth-fido-os-compatibility Google: USB-C Titan Security Keys - available tomorrow in the US
At least they're using Yubikey, so that means Fido2 Webauthn. And, perhaps they've given up on over-the-air connections (BT & NFC) since bugs always crawl out of the woodwork. It'll be interesting to see what the api is to the new dongle over usb-c, and what apps support that on the smartphones. Yubico also do a combined usb-c and lightning dongle which will probably be more suitable for ios users in the future (although I don't know the status of that project right now - it says, "emerging support for lightning connector"). Not sure how I'd feel about having to physically connect over usb-c often, the connector mounts will need to be robust, and not all phones are in that category. I'm rather happier with the current nfc connection really.
Titan Security Keys - now available in Austria, Canada, France, Germany, Italy, Japan, Spain, Switzerland, and the UK February 18, 2020 https://security.googleblog.com/2020/02/titan-security-keys-now-available-in.html
Google can add account security keys through Safari and mobile Chrome https://www.engadget.com/2020/03/07/google-enroll-security-keys-safari-android-chrome/